A stupid question about SQL injection attacks in PHP....

RedBMedia

Proficient

Posts: 315

3+ Months Ago

So up until this point I have been using mysql_real_escape_string() to clean incoming data before it hits the DB. But, when looking back at my code I have noticed for some reason I only used it when the sql statement was inserting data. Now I have looked at this example and they use mysql_real_escape_string() even when selecting data. So, do I need to go back and change all my code? & include mysql_real_escape_string() when selecting from the DB as well?

joebert

Genius

Posts: 13511

Loc: Florida

3+ Months Ago

Every query you have that has a section which was built using data submitted by the user, needs to be screened. Every query, SELECT, INSERT, DELETE, etc. Every one.

Data submitted by the user includes (but isn't limited to) $_GET, $_POST, and $_COOKIE variables, as well as variables that you might not realize are coming from the user at first glance, such as $_SERVER["HTTP_REFERER"] or $_SERVER["HTTP_ACCEPT_LANGUAGE"]

RedBMedia

Proficient

Posts: 315

3+ Months Ago

joebert wrote:

Every query you have that has a section which was built using data submitted by the user, needs to be screened. Every query, SELECT, INSERT, DELETE, etc. Every one.

Data submitted by the user includes (but isn't limited to) $_GET, $_POST, and $_COOKIE variables, as well as variables that you might not realize are coming from the user at first glance, such as $_SERVER["HTTP_REFERER"] or $_SERVER["HTTP_ACCEPT_LANGUAGE"]

Thanks for the tip....so, how would an attacker push malicious code through the $_SERVER array?

joebert

Genius

Posts: 13511

Loc: Florida

3+ Months Ago

The $_SERVER array generally includes things from HTTP request headers, things like the referrer, the accepted character sets/encodings, preferred language, etc.

For example, if you have something that logs $_SERVER['HTTP_REFERRER'] to the database, you'll want to screen that yourself as it can contain bad data just as easily as GET or POST can.

RedBMedia

Proficient

Posts: 315

3+ Months Ago

Oh, I see, so the attacker might spoof the header.....never thought of that.

joebert

Genius

Posts: 13511

Loc: Florida

3+ Months Ago

What I do when deciding whether I should screen something is ask myself the question, "Is this something the server could generate even without a request from a user ?", if the answer is no then the data is immediately subject to screening. If the answer is yes, it is something the server could generate without a request from a user, I look and see whether it's something the server generates on its' own, or if it's something the server will override with data submitted from a user before deciding whether to screen it.

An edge case would be $_SERVER['QUERY_STRING'], I know that the server generates this variable, but I also know it's generated from user submitted data.

There's $_SERVER["REMOTE_PORT"], which is technically sent by the user, but if that was spoofed then the TCP communication would never have let the request get to the script in the first place. I feel I can trust this particular variable, though if I'm feeling parahnoid I might type-cast it.